Authorizations

Personnel Management uses the authorization provided by SAP Web Application Server. Therefore, the
recommendations and guidelines for authorizations as described in the SAP Web AS Security Guide
ABAP and SAP Web AS Security Guide Java also apply to Personnel Management.
The SAP Web Application Server authorization concept is based on assigning authorizations to users
based on roles. For role maintenance, use the profile generator (transaction PFCG) on SAP Web AS
ABAP and the User Management Engines user management console for SAP Web AS Java.
Standard Roles
The following table shows the standard roles that are used by Personnel Management.
Standard Roles
Function Description
SAP_HR_BN* Roles assigned to component PA-BN
(Benefits)
SAP_HR_CM*

Roles assigned to component PA-CM
(Compensation Management)
SAP_HR_CP*

Roles assigned to component PA-CM-CP
(Personnel Cost Planning)
SAP_ESSUSER_ERP05 Role with all non country-specific functions
forEmployee Self-Service.
For more information, see the Security Guide
for Self-Services.
SAP_EMPLOYEE_ERP05_xx Roles related to the Employee Self-
Service country versions
SAP_HR_OS*

Roles assigned to component PA-OS
(Organizational Management)
SAP_HR_PA_xx_* Roles related to international and country
versions of the component PA-PA (Personnel
Administration)
SAP_HR_PA_XF*

Roles assigned to the component CA-GTF-XF
(SAP Expert Finder)
SAP_HR_PA_PF_xx_*

Roles assigned to component PA-PF (Pension
Fund)
SAP_HR_PD* Roles assigned to component PA-PD
(Personnel Development)
SAP_HR_RC*

Roles assigned to component PA-RC
(Recruitment)
SAP_HR_REPORTING Role for Human Resources Analyst
SAP_AUDITOR_TAX_HR


This role is relevant for Germany only.
Role HR-DE Steuerprfung 147 AO
(Muster)assigned to the component PA-PA-
DE (Personnel Administration Germany).
SAP_ASR_EMPLOYEE Enhancement of the role
SAP_ESSUSER_ERP05 for the employees
that use the functions of the component PA-AS
(HR Administrative Services)
SAP_ASR_MANAGER Enhancement of the role
SAP_ESSUSER_ERP05 with functions for the
persons with personnel responsibility that use
the functions of the component PA-AS (HR
Administrative Services)
SAP_ASR_ADMINISTRATOR Enhancement of the role SAP_HR_PA_xx_* for
the HR administrators that use the functions of
the component PA-AS (HR Administrative
Services)
For the roles marked with an asterisk (*), several roles exist for each of the components. For roles with
xx, where xx represents the SAP country key, various roles exist for each of the country versions.
Standard Authorization Objects
The following table shows the most important central security-relevant authorization objects used
by Personnel Management.

For more information about Personnel Management authorizations, see SAP Library
under ERP Central Component Human Resources Personnel
Management Personnel Administration Technical Processes in Personnel
Administration Authorizations for Human Resources.
Most Important Standard Authorization Objects
Authorization Object Field Value Description
P_ORGIN HR Master Data Used when checking
authorizations for HR infotypes.
The check takes place when HR
infotypes are edited or read.
P_ORGINCON

HR Master Data with
Context
This authorization object consists
of the same fields as the
authorization object P_ORGIN,
and also includes the field PROFL
(structural profile). The check for
this object means that user-specific
contexts can be included in the HR
master data.
P_ORGXX

HR Master Data
Extended Check
With this object you can determine
whether other fields are also to be
checked. You can determine
whether this check is to be
performed in addition to or instead
of the HR Master
Data authorization check.
P_P_ORGXXCON

HR Master Data
Extended Check with
Context
This authorization object consists
of the same fields as the
authorization object P_ORGXX,
and also includes the field PROFL
(structural profile). The check for
this object means that user-specific
contexts can be included in the HR
master data.
P_TCODE HR: Transaction Code This authorization object checks
certain specific transactions in SAP
Human Resources Management.
PLOG

Personnel Planning Used to indicate the types of
information processing a user is
authorized to perform.
PLOG_CON

Personnel Planning
with Context
This authorization object consists
of the same fields as the object
PLOG, and also includes the field
PROFL (structural profile). The
check for this object means that
user-specific contexts can be
included in the HR master data.
P_ASRCONT Authorization for
Process Content
The Authorization for Process
Content object is used by the
authorization check for HR
Administrative Services. It checks
the authorization for access to
various process contents and also
runs through the authorization
objects that you have specified in
Customizing in T77S0 (see note
below). For more information,
see Authorization Concept of
HCM Processes and Forms.

In Customizing, you can determine whether specific authorization objects are to be checked.
All central switches and settings for the Human Resourcesauthorization check are
summarized in table T77S0 in the Group for semantic short text for PD Plan AUTSW. Note
that changes to the settings severely affect your authorization concept.
For more information about changing the main authorization switch, see the Implementation
Guide (IMG) for Personnel Administration under Tools Authorization Management.